fix(sso): rely on lower(domain) match for conflict detection, drop dead in-memory recheck

Address PR review: the SQL `lower(domain) = <normalized>` predicate already
excludes rows that the in-memory `normalizeSSODomain(...) === domain` recheck
claimed to catch, making that recheck dead/misleading code. Match on the
canonical lower-cased domain and filter purely by ownership. Malformed legacy
values (wildcards, schemes, ports) never match an email domain at sign-in, so
excluding them is not a gap. Test DB mock now applies the lower() predicate so
the casing-variant case is genuinely exercised.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.test.ts

@@ -37,7 +37,14 @@ const {
 
 function makeBuilder(rows: any[]): any {
   const thenable: any = Promise.resolve(rows)
-  thenable.where = () => makeBuilder(rows)
+  thenable.where = (condition: any) => {
+    const values = condition?.values
+    if (Array.isArray(values) && values.length > 0) {
+      const target = String(values[values.length - 1]).toLowerCase()
+      return makeBuilder(rows.filter((r) => String(r.domain ?? '').toLowerCase() === target))
+    }
+    return makeBuilder(rows)
+  }
   thenable.limit = () => Promise.resolve(rows)
   thenable.orderBy = () => Promise.resolve(rows)
   return thenable

apps/sim/app/api/auth/sso/register/route.ts

@@ -83,15 +83,12 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
     const existingProviders = await db
       .select({
-        domain: ssoProvider.domain,
         userId: ssoProvider.userId,
         organizationId: ssoProvider.organizationId,
       })
       .from(ssoProvider)
       .where(sql`lower(${ssoProvider.domain}) = ${domain}`)
-    const conflictingProvider = existingProviders.find(
-      (provider) => normalizeSSODomain(provider.domain) === domain && !isOwnedByCaller(provider)
-    )
+    const conflictingProvider = existingProviders.find((provider) => !isOwnedByCaller(provider))
 
     if (conflictingProvider) {
       logger.warn('Rejected SSO registration for domain owned by another tenant', {